Solved: How do you compare a Single Value visualization to...

ccsfdave · ‎08-01-2016

Greetings,

My search is essentially a couple of time charts counting tweets and mentions. For final presentation I remove the tweet and mention fields and am left with the addtotals col=t as seen below. My single value dashboard gives me the 291 number at the bottom but then the % change is over 1000% because 291 is so much higher than 26. The reality is I want 291 compared to 265. So that would be like 9-10%.

_time          Total
2016-07-28  48
2016-07-29  120
2016-07-30  18
2016-07-31  79
2016-08-01  26
ColTotal    291

Can anyone think how I may accomplish this?

Thanks!

ccsfdave · ‎08-01-2016

|addtotals | streamstats sum(Total) as post_volume |fields - tweets mentions Total

I think this is the long and short of it. Definitely streamstat was the winner but had to change addtotals col=t to remove the column.

View solution in original post

ccsfdave · ‎08-01-2016

|addtotals | streamstats sum(Total) as post_volume |fields - tweets mentions Total

I think this is the long and short of it. Definitely streamstat was the winner but had to change addtotals col=t to remove the column.

twinspop · ‎08-01-2016

streamstats is what you probably want. Leave out the addcoltotals, and then something along the lines of:

... | streamstats window=5 current=t sum(count) as total | delta total as change | eval %=change/(total-change) | fields _time total %

ccsfdave · ‎08-01-2016

@twinspop I need the addtotals because I am adding two column together for the totals column. I will try your solution with the totals as I have it but am dubious it will work in the single value visualization but am hoping my suspicions are unfounded.

How do you compare a Single Value visualization to a sum of the prior day

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!